coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8db000e5f03bc2bd80c19c99aedb993da0d68a63
net-kingdom/sso-mfa/k8s/authelia/configmap.yaml
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

121 lines
4.4 KiB
YAML
Raw Blame History

# ConfigMap — Authelia configuration (namespace: sso)
#
# Contains the full Authelia configuration.yml EXCEPT sensitive values,
# which are injected at runtime via environment variables from authelia-secrets:
#
# AUTHELIA_JWT_SECRET_FILE
# AUTHELIA_SESSION_SECRET_FILE
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
#
# The *_FILE convention tells Authelia to read the secret from a file path
# (mounted from the authelia-secrets K8s Secret — see deployment.yaml).
#
# Access control policy is deliberately set to one_factor (password only).
# MFA is handled out-of-band by KeyCape via the privacyIDEA adapter AFTER
# Authelia confirms the user's password. Authelia must NOT prompt for a
# second factor; doing so would double-challenge the user.
apiVersion: v1
kind: ConfigMap
metadata:
name: authelia-config
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
data:
configuration.yml: |
---
theme: dark
server:
host: "0.0.0.0"
port: 9091
log:
level: info
# jwt_secret: injected via AUTHELIA_JWT_SECRET_FILE
authentication_backend:
ldap:
# LLDAP preset configures the correct attributes for lldap/lldap image.
implementation: lldap
url: ldap://lldap.sso.svc.cluster.local:3890
base_dn: dc=netkingdom,dc=local
username_attribute: uid
additional_users_dn: ou=people
users_filter: "(&(uid={input})(objectClass=inetOrgPerson))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: uid=admin,ou=people,dc=netkingdom,dc=local
# password: injected via AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
session:
name: authelia_session
# secret: injected via AUTHELIA_SESSION_SECRET_FILE
expiration: 1h
inactivity: 15m
# domain must cover both auth.coulomb.social and kc.coulomb.social
# so the session cookie is valid across the SSO flow redirect.
domain: coulomb.social # CP-NK — parent domain; update if hostname domain changes
regulation:
max_retries: 5
find_time: 2m
ban_time: 10m
storage:
# encryption_key: injected via AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
local:
path: /var/authelia/data/db.sqlite3
notifier:
disable_startup_check: true
filesystem:
filename: /var/authelia/data/notification.txt
# ── Access control ────────────────────────────────────────────────────────
# one_factor = password only. MFA is handled by KeyCape + privacyIDEA.
# Do NOT change to two_factor here.
access_control:
default_policy: one_factor
# ── OIDC identity provider ────────────────────────────────────────────────
# Authelia acts as an upstream OIDC provider for KeyCape.
# KeyCape is the only registered client.
identity_providers:
oidc:
# hmac_secret: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
# issuer_private_key: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
clients:
- id: keycape
description: "KeyCape IAM Orchestration Layer"
# secret (bcrypt hash): injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
public: false
authorization_policy: one_factor
consent_mode: implicit
redirect_uris:
# CP-NK-004 — update if kc.coulomb.social hostname changes
- "https://kc.coulomb.social/authorize/callback"
scopes:
- openid
- profile
- email
- groups
grant_types:
- authorization_code
response_types:
- code
response_modes:
- query
userinfo_signing_algorithm: none
Reference in New Issue View Git Blame Copy Permalink